Monday, December 28, 2009

Secure file system access for Windows 2008 Servers

With VPS technology becoming main stream quite a few companies are switching from shared hosting solutions to (cheap) VPS server solutions, mostly Windows based.

Security
As a web developer I need secure access to these systems. FTP is about as insecure as an unencrypted USB stick left behind in public transport. FTP is not an option.

WebDAV
I’ve given WebDAV (over SSL) a try. It works but I’m not quite happy with it. WebDAV on IIS is subject to the same rules as all other IIS applications. Meaning that it won’t allow me to update the Views folder of an MVC application because there is a web.config there that won’t give me access to that folder.
The alternative would be to install Apache for WebDAV. I’ve configured this for a customer that uses WebDAV to access shared subversion repositories. Once this is up and running it is very solid.
Installing apache however just to get secure filesystem access seems like overkill to me.
The nice thing about WebDAV is that Windows can connect to a WebDAV server directly and allows me to drag&drop files directly in explorer.

SSH
Ideally, I’d like to use SSH which I also use to access Unix based servers. I’ve looked into this a couple of years ago and found only half-baked or very expansive solutions. Recently I’ve come across freeSSHd.

It’s a near perfect solution. The only issue is that the configuration tool tries to interact with the service which is not allowed by default on Windows 2008. The work around is to stop the service, do the configuration and restart the service.

To connect to the SSH server I use WinSCP which allows me to drag & drop files onto the server.

FreeSSH installation on Windows 2008

  • Download and run the installer
  • During installation, make sure you select freeSSH to run as a service
  • Open up the computer management console and stop the freeSSH service.
  • Open the freeSSH admin console through the start menu. After starting it adds an icon to the system tray. Click that to open up the console.
  • On the Authentication tab:
    - Require password login
    - I don’t use public key login so disable public key
  • On the SFTP tab:
    Set the base folder to your web root
  • On the Users tab:
    Add users. I prefer to use Windows accounts and grant only SFTP access.
  • On the Host restrictions tab:
    Enable only administrative IP’s but you really should have a firewall policy that takes care of this.
  • On the Logging tab:
    Enable logging
  • Finally, make sure your firewall allows access to the SSH port (22 by default). As mentioned earlier it’s best to only allow access to this port for your own IP addresses.

1 comment:

Chris Barry said...

Hey, also winsshd has a free version, which seems very robust. The pay version integrates with the windows domain system. But it's not free for commercial use.